Disable Password Reset In WordPress

If you run WordPress and are tired of having script kiddies clicking the “forgot password” link and getting emails, just disable it by editing your .htaccess file. If you’re running your own instance you don’t need it anyway.

<IfModule mod_rewrite.c>
RewriteEngine On

#...

RewriteCond %{QUERY_STRING} action=lostpassword
RewriteRule (.*) $1? [R=permanent]
</IfModule>

Public-key cryptography should replace text passwords

The recent leaking of almost 10 million passwords from LinkedIn, eHarmony and Last.fm is unsettling to say the least, but it has left me wondering…why are we still using text-based passwords?

We already use public-key crypto to secure and authenticate our interactions with websites via SSL. It seems straightforward to have all computers, cellphones, etc. generate a public and private key per user, and then any website they wish to authenticate to can store the user’s public-key. This process is the same used to allow password-less logins to remote servers via SSH, and sites like GitHub and BitBucket already use this technique to authenticate their users for source version control. Proof of identity can be achieved via side-channel confirmation, using SMS confirmation codes, like many sites (including Facebook and Gmail) already do.

This would have some awesome benefits:

  1. People only need to remember passwords to their devices (computers, smartphones, etc.), which is a lot easier to remember.
  2. Users’s accounts at other websites would no longer be vulnerable when a website they use is hacked. There aren’t any passwords to steal! The only thing that could be compromised is their public-key, which is useless to hackers.
  3. Users wouldn’t need to create dozens of passwords to mitigate the risk of any one of their accounts being hacked.
  4. Hackers interested in getting at a person’s data would have to steal or hack an individual’s device in order to copy their private-key.
I am by no means a security expert, so maybe I’m missing something and I’d love to hear counter-arguments. But there is no such thing as perfect security, and I think that given the proper support from device manufacturers (Apple already does a great job with their keychain built into the OS), this could be a breeze to end-users and it would make everyone’s data a lot safer. Coupled with the ability to remote-wipe and track devices (like the Find My iPhone service), this seems like a no-brainer solution to a long-standing problem.

Make Eclipse Run Blazingly Fast On Mac OS X

If you use Eclipse on OS X, you’ve probably been frustrated by how slow it can be. As it turns out, this can be easily improved upon!

Eclipse uses Java 1.5 by default in OS X. This is probably for compatibility reasons, but I don’t know for sure. Regardless, I got a huge boost by modifying my eclipse.ini with the following settings:
-Dosgi.requiredJavaVersion=1.6
-XX:PermSize=256m
-XX:MaxPermSize=256m
-Xms1024m
-Xmx1024m

The key change is the first line, Dosgi.requiredJavaVersion. Make sure it is set to 1.6. The other settings deal with the amount of memory allocated to the JVM for various purposes. The settings I’ve listed above may be too aggressive if you only have 4GB of RAM, but you can play around with them if you want, or leave them as they already are configured. The important thing is changing to Java 1.6.

You may be wondering, “where can I find the eclipse.ini file?”. You need to navigate to the Eclipse application in Finder, then right-click and select “Show Package Contents”. Then open the Contents/MacOS folder and you’ll find your eclipse.ini. Spotlight will not find it because it’s inside the application bundle. Of course, you could also use Terminal, but I’ll assume that if you use Terminal, you can find it on your own ;-).

Enjoy! This made Eclipse much faster / more responsive for me.

By the way, if you’re still on OS X Leopard, the default JVM there is 1.5. I’m not sure (since I don’t have Leopard anymore), but you might need to adjust your Java Preferences. See: Selecting Java version on OS X Leopard.

Quickly enable robust Python logging throughout an application

Sometimes it’s helpful to quickly enable logging in a Python application so you can peer into what the libraries you depend on are doing under the hood. Many libraries include logging, but in order to see the messages they rely on you configuring a root level logger in your application’s “main”.

It took me longer than I’d hoped to get this set up for a script I was working on to test out some ideas, so hopefully this post will save someone else some time.

In your application or script’s main file or thread:

import logging

logging.basicConfig(**{
    'format': '%(asctime)s - %(name)s - %(levelname)s - %(message)s',
    'level': logging.DEBUG
})
logger = logging.getLogger()

Beware gotcha when using HTML comments in Firefox

Just spent far too much time on this little gotcha, hopefully this saves someone a lot of frustration!

Let’s say you have some markup, like so:

<div id="someContainer">
    <span>Some text</span>
</div><!-- someContainer -->

It’s relatively common for people to put a closing comment to help match up closing tags. I personally don’t care for it because it adds bytes to your HTML and a decent IDE should make it clear which opening and closing tags are paired together. Nevertheless, a lot of people do it, including some people I work with.

Where you can get into trouble is if you decide you want to comment out that markup, like this:

<!--
<div id="someContainer">
    <span>Some text</span>
</div><!-- someContainer -->

Both my Eclipse IDE and the Chrome and Safari (WebKit-based) browsers had absolutely no problem with this. But Firefox thinks that a comment open tag has been left open, and it produces mangled HTML as a result!

If you are seeing weird behavior in Firefox, check your HTML comments!

Learn to be an iOS Developer from the best, without paying tuition

There are some really great resources available if you want to learn to develop for the iOS platform (iPhones, iPod Touches, iPads). But perhaps the best resources out there, are free! Professor Paul Hegarty of Stanford teaches CS 193P – iPhone Application Development, and all of the lectures are available for free on iTunes U!

Here’s everything you need to get started:

The Lectures

Xcode

Xcode is Apple’s comprehensive App development tool suite, including tools to write code, graphically build your app’s user interfaces, debug, and measure performance. It’s free if you’re already an Apple Developer, but if you’re not, you can buy it for $4.99 on the Mac App Store. (Note: it is a huge download, more than 4GB. Go do something else while it’s downloading!)

Syllabus and Homework

The course materials can be found here.

One final note: these materials were produced before iOS5 and Xcode 4. However, the updated lectures for these newer versions should be posted in early November, 2011 (soon!) That said, I’ve taken some of the classes already, and I haven’t had any issues even though I’m using the newer version of Xcode.

Recommended Prerequisites

You’ll be best prepared to dive right into iOS development if you have prior experience with:

However, if you’ve got enough drive, these deficits in experience are merely obstacles to overcome. Apple’s tools for iOS development amount to the most advanced and straightforward graphical application stack I’ve ever seen. An awful lot of the scary and complicated stuff is handled automatically for you, and you can mostly build your entire applications in Interface Builder by dragging and dropping the buttons, sliders, etc. that you need to make your app tick!

Disabling Chrome’s Obnoxious HTML5 Form Validation

Has anyone else been bitten by this recently? You’re making a form for your website, and you need to collect the user’s email address. Rockstar web developer that you are, you use Google Chrome to test, and you’re using the fancy new HTML5 <form> tags. You maybe have something like:

<form id="signupForm" method="POST"><code>
<input id="email" name="email" type="email" />
<input id="passwd" name="passwd" type="password" />
<input id="confirm" name="confirm" type="password" />
</form>

And then you go to test out your form in Chrome. You type in a bogus email address to test your server-side input validation.

And when you hit enter to submit the form, you see this:

Where did this come from!?! Chrome apparently tries to do its own form validation. Which is great I guess, but not when you want to do your own custom validation.

Luckily, this is easily disabled using the “novalidate” attribute in the <form> element, like so:

<form id="signupForm" method="POST" novalidate>

Entrepreneurs Threatened By Ironically Named America Invents Act

So you’ve got a great idea for a business? Odds are, you’re not the only one that’s thought of it.

One of the biggest worries–and wastes of time–for new entrepreneurs is “what if someone else steals my idea?” They get very secretive, make people sign NDAs, and start talking to patent lawyers. As if you have the capital to litigate an infringer! What you really should be doing is going out and talking to customers and telling people your idea. You need to validate it in the marketplace!

Big companies couldn’t care less about what patents you hold, especially if you haven’t executed and produced the widget or service your patent describes. In the world we live in, it is usually wiser to act on attractive business opportunities if you have the means to execute on them than to worry about potential infringement. Android is a perfect example of this. Google entered the smartphone market and became a leader in two years. Now there’s a war being waged over smartphone patents, but Android marketshare continues to grow.

President Obama is about to sign a patent reform bill into law that will make it even harder for entrepreneurs to innovate and create jobs. The America Invents Act switches US patent law from a “first to invent” to a “first to file” system. This means that prior art no longer can invalidate a patent–unless it can be proven that the idea was directly stolen from the original inventor. This change will go into effect 18 months after enactment.

This change in the patent system, while more in line with the rest of the world, will simply cause an avalanche of patent filings by major corporations and patent trolls. Big companies who can afford full-time patent lawyers now have an even larger advantage over small entrepreneurs who often times cannot even afford the cost or time of filing a decent provisional patent.

Serious patent reform is necessary if America is to continue in it’s place as the world’s leader in economic power. We need to encourage innovation, and this patent “reform” bill does just the opposite. It places more power in the hands of large corporations, and consequentially places innovative start-ups at an even greater disadvantage.

This bill will make it harder for entrepreneurs to do what they do–innovate, and create jobs. Research by the Kauffman Foundation shows that new companies add 3 million jobs annually, while older companies lose 1 million. With unemployment at 9.1%, we really cannot afford to pass laws that give advantages to companies that, on balance, lose jobs each year.